I found that I wasnt able to add ACLs directly to the bastille-firewall.cfg script.

After doing some reading, here is my how-to and hopefully others will find it useful:

In this case I want to restrict ssh access to only one IP address (you can configure it for any number depending on your needs)

I order to restrict access to certain source IPs for certain protocols, using the Bastille-firewall setup you need to firstly create a new directory under /etc/Bastille. This directory needs to be called firewall.d

#cd /etc/Bastille
#mkdir firewall.d

You then need to create a new file within the newly created directory called post-rule-setup.sh

#cd firewall.d
#vi post-rule-setup.sh

This is the file where any IPTABLES rules can be entered. When you restart bastille.cfg the script is read and the rules applied. A knowledge of IPTABLES is required but once you get the hang of it, it is easy enough.
So in my case I want to allow ssh access to only 123.34.56.789 and deny it to ALL other IP addresses, so my post-rule-setup.sh file will look like this:

The first line accepts ssh (tcp port 22) connections only from 123.34.56.789 and the second line denies ALL other source IP addresses. If there is no match in this case 123.34.56.789 then all traffic bound for port 22 will be denied.

I realize this thread is (really) old, but for those who arrive via searching for this solution- its important to note that if you use the commands given in the previous example, you will effectively block ssh completely. Using "-I" inserts the rule into the top of the chain by default, so the rule rejecting all ssh traffic ends up being the first rule in the chain.